Running the environment you described (beside openchange). I guess you need
acl:read=false
in your smb.conf.
achim~
Am 14.01.2013 23:29, schrieb Christian Hailer:
Hello Samba group,
I ran into a problem concerning Dovecot LDAP authentication to the Samba4
Active Directory.
Background: I want to install a Openchange+Samba4 environment using Sogo,
Dovecot and Postfix. I didn't want to use openldap as described in the
Openchange documentation, why should I use 2 LDAP databases?
Fedora 17, latest updates applied
Samba: Version 4.1.0pre1-GIT-813bd03
dovecot-2.1.10-4.fc17.i686
At first I tried to use the auth_bind method of Dovecot, but very soon I
realized (via tcpdump) that you first have to authenticate to Samba4:
...
searchResDone
resultCode: operationsError (1)
matchedDN:
Operation unavailable without authentication
...
I defined the properties in dovecot-ldap.conf like this:
---------------------------------------------------
uris = ldaps://192.168.0.1:636
dn = cn=ldap,ou=USER,dc=example,dc=de
dnpass = somepassword
base = dc=example,dc=de
scope = subtree
deref = never
user_attrs = sAMAccountName=uid,primaryGroupID=gid
user_filter = (sAMAccountName=%u)
pass_attrs = mail=user,userPassword=password
pass_filter = (sAMAccountName=%u)
---------------------------------------------------
So trying to authenticate to Dovecot with a telnet connection
telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
STARTTLS AUTH=PLAIN] Dovecot ready.
1 login someuser somepassword
results in the error message "result: mail=someu...@example.de; userPassword
missing"
A tcpdump shows the following searchRequest:
---------------------------------------------------
Lightweight Directory Access Protocol
LDAPMessage searchRequest(2) "dc=example,dc=de" wholeSubtree
...
Filter: (sAMAccountName=someuser)
filter: equalityMatch (3)
equalityMatch
attributeDesc: sAMAccountName
assertionValue: someuser
attributes: 2 items
AttributeDescription: mail
AttributeDescription: userPassword
---------------------------------------------------
As a result I get:
---------------------------------------------------
Lightweight Directory Access Protocol
LDAPMessage searchResEntry(2) "CN=someuser, OU=USER,DC=example,DC=de" [1
result]
...
searchResEntry
objectName: CN=someuser, OU=USER,DC=example,DC=de
attributes: 1 item
PartialAttributeList item mail
type: mail
vals: 1 item
AttributeValue: someu...@exchange.de
---------------------------------------------------
So unfortunately the "userPassword" attribute is missing. Now, I remembered the
"Control Delegation Wizard" from Microsoft AD where you have to delegate permission to
read all user properties to a user account in order to be able to authenticate i.e. pam_ldap users
on a linux server.
I delegated the appropriate permissions to the "ldap" user used in dovecot-ldap.conf above, but the
behaviour did not change, the "userPassword" attribute won't be delivered to the "ldap"
user.
Is anybody out there who ran into the same problem?
Best regards, Christian
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
